[solved]Hardened Gentoo for Server

Message

janskey · Post by **janskey** » Thu May 25, 2006 6:05 am

Hi Guru's

hi guyz..i need help..i'm building DNS, Proxy and IDS [all in one box, P4 1.7Ghz-5Gig Drive-378Mb Memory]..i want to install for hardened gentoo..i dont know where to start..i was thinking of installing hardened stage3,new portage and hardened kernel..is this right?

janskey

Suer7reus · Post by **Suer7reus** » Thu May 25, 2006 6:38 am

Some thoughts:
First off, go for it; its really pretty easy to get such a box started and you can learn an awful lot by going more in-depth than is necessary for basic functionality. That said, use Squid for the proxy, and stay the hell away from BIND unless you NEED it.

Second, good luck with the 5 gig drive. I'm using links from a laptop I'm building right now, and after excluding all the temporary directories like /usr/portage/distfiles and /var/tmp/portage etc., I'm up to about 4 gigs. Your mileage will vary, to be sure, (not putting Gnome/KDE on there would help a lot), but if you expect any room for expansion I'd suggest a bigger drive. 20 is more than enough, but 5 seems a little on the small side. Also consider that a 5 gig drive is probably older and therefore slower than a slightly less ancient 10 or 20 might be. Drive prices are very reasonable these days, especially for the smaller sizes. As a bonus, you could always add a fileserver function later with a bigger drive.

Third, having set up a hardened box myself, decide now whether or not you're going to use SELinux and if so, do so from the ground up. Kernel and compiler hardening can be switched more or less on the fly (i.e. a reboot and an emerge -e world, respectively) in my experience, but I had a bitch of a time going SELinux from a vanilla box. The hardened kernel patches are great - definitely read the menuconfig help on the PaX and grsec options though, or you stand no chance of making good choices on your own. If set up properly, those options should rarely cause you problem while making your environment considerably safer. Compiler hardening is splendid too; PIE+SSP Just Work.

Good luck; it sounds like you're on the right track =).

janskey · Post by **janskey** » Thu May 25, 2006 8:51 am

Suer7reus,

actually i'm confused with the hardened gentoo..what are those subprojects that hardened gentoo manual says [SELinux,RSBAC,Hardened-Sources, etc..], are they modules for hardened or options to be used..?

Sachankara · Post by **Sachankara** » Thu May 25, 2006 9:25 am

janskey wrote:Suer7reus,

actually i'm confused with the hardened gentoo..what are those subprojects that hardened gentoo manual says [SELinux,RSBAC,Hardened-Sources, etc..], are they modules for hardened or options to be used..?

They are different kernel sources. SELinux requires you to install a SELinux stage or bootstrap with the USE flag "selinux". Can't say much about RSBAC since I haven't used it. "hardened-sources" is what I use myself with PaX, grsecurity and RBAC* support, and it doesn't require too much work to get it "going".

*Role Based Access Control - requires the gradm package.

janskey · Post by **janskey** » Thu May 25, 2006 9:36 am

Sachankara wrote:
janskey wrote:Suer7reus,

actually i'm confused with the hardened gentoo..what are those subprojects that hardened gentoo manual says [SELinux,RSBAC,Hardened-Sources, etc..], are they modules for hardened or options to be used..?
They are different kernel sources. SELinux requires you to install a SELinux stage or bootstrap with the USE flag "selinux". Can't say much about RSBAC since I haven't used it. "hardened-sources" is what I use myself with PaX, grsecurity and RBAC* support, and it doesn't require too much work to get it "going".

*Role Based Access Control - requires the gradm package.

hi Message Sachankara,

thanks for the info's..actually i still didnt get it..what i didnt get is that the whole hardened gentoo.. actually what i understant is that there is a hardened-stage3, intall it, install portage, chroot to it..then install a hardened-sources, compile it..then its now a hardened server..

but what i've seen in the documentation of the hardened gentoo.there are subprojects that i dont get it if they're modules for enhancement of the server or another kernel to be install or just USE flags..[SELinux,RSBAC,Hardened-Sources, etc..] are the subprojects i mean..i'm just confused how it works.ehaehhae..

Sachankara · Post by **Sachankara** » Thu May 25, 2006 10:19 am

janskey wrote:
Sachankara wrote:
janskey wrote:Suer7reus,

actually i'm confused with the hardened gentoo..what are those subprojects that hardened gentoo manual says [SELinux,RSBAC,Hardened-Sources, etc..], are they modules for hardened or options to be used..?
They are different kernel sources. SELinux requires you to install a SELinux stage or bootstrap with the USE flag "selinux". Can't say much about RSBAC since I haven't used it. "hardened-sources" is what I use myself with PaX, grsecurity and RBAC* support, and it doesn't require too much work to get it "going".

*Role Based Access Control - requires the gradm package.
hi Message Sachankara,

thanks for the info's..actually i still didnt get it..what i didnt get is that the whole hardened gentoo.. actually what i understant is that there is a hardened-stage3, intall it, install portage, chroot to it..then install a hardened-sources, compile it..then its now a hardened server..

but what i've seen in the documentation of the hardened gentoo.there are subprojects that i dont get it if they're modules for enhancement of the server or another kernel to be install or just USE flags..[SELinux,RSBAC,Hardened-Sources, etc..] are the subprojects i mean..i'm just confused how it works.ehaehhae..

Well, there are two ways of installing the most simple security "package" (hardened-sources) :

Method 1:
a) Add the following USE flags to your system: "hardened pic" (could also recommend "erandom nptl nptlonly xattr acl caps")
b) emerge glibc gcc binutils
c) Change gcc compiler profile to the hardened one. Start with listing all profiles:

Code: Select all

gcc-config -l
 [1] i586-pc-linux-gnu-3.4.5
 [2] i586-pc-linux-gnu-3.4.5-hardenednopie
 [3] i586-pc-linux-gnu-3.4.5-hardenednopiessp
 [4] i586-pc-linux-gnu-3.4.5-hardenednossp
 [5] i586-pc-linux-gnu-3.4.5-vanilla *

Code: Select all

gcc-config 1
source /etc/profile

Now it should look like this:

Code: Select all

 [1] i586-pc-linux-gnu-3.4.5 *
 [2] i586-pc-linux-gnu-3.4.5-hardenednopie
 [3] i586-pc-linux-gnu-3.4.5-hardenednopiessp
 [4] i586-pc-linux-gnu-3.4.5-hardenednossp
 [5] i586-pc-linux-gnu-3.4.5-vanilla

d) emerge -e world
e) emerge hardened-sources paxtest pax-utils chpax paxctl
f) Configure your kernel and start with the highest security settings.
g) Reboot.

Method 2:
a) Start from scratch. Download a Hardened Gentoo stage 3 package. Install like you'd normally do.
b) Run gcc-config -l and make sure you use a hardened gcc profile.
c) emerge hardened-sources paxtest pax-utils chpax paxctl
d) Configure your kernel and start with the highest security settings.
e) Reboot.

When you're ready for tightening up the system further, emerge gradm, and then take a look at the Gentoo RBAC guide.

P.S. To make sure everything is working like it should when you've booted into your new system. Do either of the following:

Code: Select all

paxtest kiddie
or
paxtest blackhat

janskey · Post by **janskey** » Thu May 25, 2006 10:48 am

Sachankara,

thanks a lot..i learned a lot for this..aehhae..another question would be what are those subprojects of hardened gentoo..are they modules, USE flags or security installers..?

what if i'll make this computer to become also a virtual server for my developers..do i need to compile vserver-sources?some of my team mates need test box/beds for their softwares for testing..any advice for this?

Sachankara · Post by **Sachankara** » Thu May 25, 2006 11:23 am

janskey wrote:Sachankara,

thanks a lot..i learned a lot for this..aehhae..another question would be what are those subprojects of hardened gentoo..are they modules, USE flags or security installers..?

what if i'll make this computer to become also a virtual server for my developers..do i need to compile vserver-sources?some of my team mates need test box/beds for their softwares for testing..any advice for this?

aehhae?

Subprojects? You mean those you'll find on this page: http://www.gentoo.org/proj/en/hardened/ ? Well, if so, this is how it works:

SELinux: is a kernel and a toolchain. (Kernel, use flags, utilities)
RSBAC: is a kernel and has a few necessary utils. Includes PaX kernel patch.
PaX/grsecurity: are patches for your kernels.
Hardened toolchain: glibc, gcc, binutils and more - which includes PaX functionality such as Stack Smashing Protection.
Hardened sources: Somewhat older but stable releases of gentoo-sources with the PaX and grsecurity patches. The easiest package to use if you're inexperienced.
Bastille: Well, as it says on the page. It's just an application (like a so called wizard) which helps you securing your system. Might cause more problems than expected if you play around a little bit too much.

So either you use SELinux+hardened toolchain+tools, RSBAC+hardened toolchain+tools or Hardened sources(PaX/grsecurity/RBAC)+hardened toolchain+tools.

For the virtual server bit: Well, it's hard to say. It depends on what they need to do. There are a few options, but so far none of the virtualization methods that requires kernel sources works with any of the hardened kernels. You'll have to wait for, for example, a hardened-sources patched with Xen. You could always use qemu or a chroot. Grsecurity can increase the chroot security until they are almost unusable (if one wants to).

janskey · Post by **janskey** » Thu May 25, 2006 1:02 pm

Sachankara,

thanks a lot..now its clear to me whats a hardened gentoo is..any way..if i would let you chose on building production server for company..which one would you choose?

Sachankara · Post by **Sachankara** » Thu May 25, 2006 5:44 pm

janskey wrote:Sachankara,

thanks a lot..now its clear to me whats a hardened gentoo is..any way..if i would let you chose on building production server for company..which one would you choose?

I'd choose the one I know best. They all have their strenghts and weaknessess. A weaker system set up by someone who knows it from the inside and out is almost always more secure than a strong system set up by someone who doesn't know what he/she is really doing. As people often say: "Security is not a tool or an application - it's a process". Meaning that the tools can't do everything for you. If you really haven't used any of the systems yet, start with hardened-sources (PaX/grsecurity), continue with RBAC and work your way up.

janskey · Post by **janskey** » Mon May 29, 2006 3:05 am

hey guys..

thanks a lot..this are great tips..

JohnerH · Post by **JohnerH** » Sun Jan 07, 2007 7:19 pm

Bonza..... Just the advised I needed for setting up my homoe server....

Cheers guys,

J

JohnerH · Post by **JohnerH** » Sat Jan 13, 2007 3:43 pm

I've just noticed something, there's 2 different profiles available for security....

There:

/usr/portage/profiles/hardened/x86/2.6

And

/usr/portage/profiles/selinux/2005.1/x86

Which one should be used? And what's the difference?

Thank you in advance,

J

Xoalin · Post by **Xoalin** » Sat Jan 13, 2007 4:58 pm

The one is for selinux which is apart of the gentoo hardened project, BUT it has it's own requirements that need to be met. Thus has it's own profile.

Fair amount of info to read up on the differences between the grsecurity, rsbac and selinux in Hardened Gentoo docs.